Security Overview
Last Updated: Version 1.0 — 18 May 2026
For IT security teams and enterprise customers conducting vendor due diligence.
1. Summary
ReceivableIQ is built on enterprise-grade cloud infrastructure. Customer data is encrypted in transit and at rest, isolated per customer at the database level, and is never shared with or used to train AI models. A full Data Processing Agreement (DPA) is available on request.
2. Infrastructure
| Layer | Provider | Certifications |
|---|---|---|
| Database / Auth | Supabase on AWS | SOC 2 Type II, ISO 27001 |
| App Hosting | Vercel | SOC 2 Type II |
| AI Processing | Anthropic | Commercial DPA, no training on customer data |
| DDoS / Network | Cloudflare | SOC 2 Type II, ISO 27001 |
| Data Region | AWS Japan (ap-northeast-1) | AWS-certified region |
GCC data residency is available for enterprise customers.
3. Data Encryption
- TLS 1.2+ for all data in transit
- AES-256 for all data at rest
- Backups are encrypted at rest
- Encryption is enforced and managed by AWS
4. Tenant Isolation
- Row-level security (RLS) is enforced at the database level.
- It is technically impossible for one customer to read or modify another customer's data.
- Isolation is enforced by the database, not by application code alone.
5. Authentication
- Supabase Auth with JWT tokens
- Passwords stored as bcrypt hashes
- Sessions expire on inactivity
- Multi-factor authentication (MFA) is available
- Role-based access control within each organisation
6. AI Data Handling
What is and is not sent to AI providers:
| Field | Sent to AI |
|---|---|
| Company names and industries | YES |
| Invoice amounts and aging buckets | YES |
| Aggregated AR patterns | YES |
| Email addresses | NEVER |
| Phone numbers | NEVER |
| Free-text notes | NEVER |
| Uploaded documents | NEVER |
- Anthropic does not use customer data for model training.
- An AI kill switch is available per organisation.
7. Audit Logging
The following events are logged:
- Every login and logout
- Every AI call, including the model version
- Every report generated
- Every import and export
- Every administrative action
Audit logs are retained for 7 years and are available to enterprise customers on request.
8. AI Governance
- Immutable report storage (Clause 9 of the AI Governance Policy).
- Full AI audit trail including the model version (Clause 12).
- Per-tenant kill switch (Clause 13).
- No automated decisions — all AI output is advisory only.
9. Incident Response
- We investigate and contain incidents immediately.
- We notify affected customers within 72 hours of discovering a personal data breach.
- A full incident report is provided to affected customers.
- We cooperate fully with regulators.
10. Compliance
| Framework | Status |
|---|---|
| UAE PDPL | Compliant |
| Saudi Arabia PDPL | Compliant |
| EU GDPR | Compliant where applicable |
| Pakistan Data Protection | Aligned |
11. Data Processing Agreement
A full DPA is available to enterprise customers. Contact legal@receivable-iq.com to request a copy.
12. Contact
For security enquiries, vendor assessments, or additional documentation, contact legal@receivable-iq.com.
Version 1.0 — 18 May 2026